Assign permissions to support TFS-Project Server integration

Assigning permissions is the first step in configuring Team Foundation Server and Project Server to support data synchronization. You must grant permissions to several accounts—administrators, service accounts, and team members. You must also make sure that specific service accounts have access as a Shared Services Provider (SSP) for the server that hosts SharePoint Products for Project Server.

Team Foundation Administrators group, required to grant TFS permissions. You must also have access to the Team Foundation Administration Console. Set administrator permissions for Team Foundation Server.

Administrator for Project Web App for each instance of Project Web Access or Project Web App (PWA), required to grant Project Server permissions. You must also have access to Project Server through PWA.

Administrators security group for the SQL Server databases for Project Server, required to grant permissions to the PWA Reporting and Publishing databases.

Farm Administrators group, the administrators group for the Web application that supports Project Server, or the SharePoint Administration group, required to grant SSP permissions. Group membership will depend on the security architecture of your deployment.

You will not be able to register the PWA if its authentication is set to Claims Based Authentication. If you’re not sure which authentication mode is set, or you need to switch authentication modes, jump to this section.

For Project Server 2013:

Two permissions are supported: SharePoint Permission mode and Project Permission mode. Both these modes use Claims Based authorization. The permissions that you need to assign differ, depending on the permission mode that is set.

SharePoint permissions mode creates SharePoint groups that directly correspond to the default security groups found in Project Server permission mode. These groups are used to grant users varying levels of access to projects and Project Server functionality. SharePoint permission mode is new for Project Server 2013.

New Project Web App instances use the SharePoint permission mode by default. In an on-premises installation, the mode can be changed for a given instance of Project Web App by using the Set-SPProjectPermissionModeWindows PowerShell cmdlet.

Project Server permission mode provides a set of customizable security groups and other functionality that is distinct from SharePoint groups. This security platform operates independent from the SharePoint permissions in the farm and allows you to fine tune the permission levels for Project Web App users. This is the same permission mode that was available in Project Server 2010.

To minimize manually adding users to TFS and Project Server, create Windows or Active Directory groups. You can then add these groups to TFS groups, Project Server, and SharePoint sites which have pre-defined permissions. Also, you can synchronize resources with Active Directory across multiple domains and forests.

Identify the following service accounts, user accounts, or Active Directory groups that have been configured and will need access to the resources that support data synchronization between TFS and Project Server.

You must assign permissions to three service accounts. To each PWA instance that participates in data synchronization, grant permissions to the SharePoint server. To the Reporting and Publishing databases for each PWA instance, grant these permissions, using the following applications: PWA site, SharePoint Central Site Administration, and using SQL Server Management Studio. Before you grant permissions, make sure that you have identified all the service accounts that are used in your deployment.

Details for each permission to be granted are provided in the numbered sections.

You assign permissions to the accounts of users who configure the integration between TFS and Project Server or who participate in the enterprise project plan, either as a manager or team member. Depending on the role, you grant permissions to each PWA instance that participates in data synchronization, to the SharePoint server, to the enterprise resource pool, and to TFS. Grant these permissions, using the following applications: PWA site, SharePoint Central Site Administration, and using the Team Foundation Administration Console, and Team Web Access.

Details for each permission are provided in the numbered sections.

Account or group of users

Add these account to the following groups or resource pools, or grant the indicated permissions

From the PWA Settings page, open Manage Users, New User, and then type the required information in each field:

Clear the check box for User can be assigned as a resource if the account is a service account.

For User Authentication, type the account name of the user or service account for TFS.

Clear the check box for Resource can be leveled if the account is an administrator or a service account.

For Security Groups, add the account or group to one of the default groups:

Administrators: TFS service account and the accounts of users who configure the integration, ones who register or unregister PWAs.

Project Managers: users who work with Project Professional and PWA.

Team Members: users who are assigned as a resource and who are assigned to TFS work items.

If you have customized Category permissions, verify that team members have the following Security Categories: Create New Task or Assignment, Create Object Links, Open Project, View Project Site, and View Project Schedule in Project Web App(Project Server 2010).

Team Members for Project Web App: accounts assigned as resources in the project plan or to the Assigned To field for a work item. Or, add the Active Directory group used to manage these resources.

Administrators for Project Web App: the service accounts for Team Foundation Server, the Project Server web application pool, and Project Server Event Handler. Also, add the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands

PWA Site Collection Administrators : the accounts of users who configure the integration by running the TfsAdmin ProjectServer RegisterPWA/UnRegisterPWA commands

Grant permissions to both the service account for TFS and the service account for the Project Server web application pool to update the database or databases for each PWA instance. This step is required for all deployments, both Project Server 2010 and Project Server 2013.

On the data-tier server for Project Server, open SQL Server Management Studio.

In the Server type list, select Database Engine.

In Server name, type the name of the server that hosts the databases for Project Server, and then choose Connect.

Note

If SQL Server is installed on a cluster, type the name of the cluster, not the computer name. If you have specified a named instance, type the server and instance name in the following format: DatabaseServer\InstanceName.

SQL Server Management Studio opens.

Expand Databases, right-click or open the context menu for the database for the instance of PWA, and then choose Properties:

For Project Server 2010: PWA_Reporting or PWA_Publishing

For Project Server 2013: ProjectWebApp

On the Permissions page. add the service account for TFS, (required for Project Server 2010 and Project Server 2013, Permission mode).

Accounts of users who configure the TFS-Project Server integration require Administer Project Server Integration permission set to allow. Set this for each project collection that you map to a PWA.

From the Security page for the project collection, either open the permissions for a user account or a Windows account that you’ve added to TFS for administering project server integration. Set the permissions for Administer Project Server Integration to Allow.

Accounts of users who work in Project Professional or TFS require permissions to view or contribute to TFS.

From the TWA administration Security page for the team project, you can add accounts to either the project collection or each team project. Add accounts or the Active Directory groups to the appropriate roles.

Verify that user accounts or groups have been added to the following TFS groups:

Contributor role: Team members who work in a TFS project that is integrated with Project Server. This includes all user accounts assigned as resources in the project plan or to the Assigned To field for a work item. These users submit status updates that flow into the status queue for the project manager.

Reader role: Users who modify enterprise project plans that are mapped to a team project.

Use the following checklist to review that all permissions have been set according to your version and authentication mode.

Account

Permissions

Project Server 2010

Project Server 2013, Permission Mode

Project Server 2013, SharePoint Mode

Application

Service Account for TFS

Global and Category permissions

PWA

Administrators for Project Web App group

PWA

Site Collection Administrators group

SharePoint Central Administration

Connect permissions to the Project Server Service Application (Full Control)

SharePoint Central Administration

PWA_Reporting database

PWA_Publishing database

SQL Server Management Studio

ProjectWebApp database

SQL Server Management Studio

Service account for the Project Server web application pool (Note 1)

Administrators for PWA group

SharePoint Central Administration

PWA_Reporting database

PWA_Publishing database

SQL Server Management Studio

ProjectWebApp database

SQL Server Management Studio

Service account for the Project Server Event Handler

Connect permissions to the Project Server Service Application (Full Control)

SharePoint Central Administration

Administrators for PWA group

SharePoint Central Administration

User accounts who will configure the integration and run the TFSProjectServer registerPWA command

Administrators for Project Web App

SharePoint Central Administration

PWA site collection admin

SharePoint Central Administration

Team Foundation Administrators group

Team Foundation Administration Console

Administer Project Server integration

TWA

User accounts who will map components to support TFS-Project Server integration, but not register PWAs

Administer Project Server integration

TWA

Users of Project Professional

Project Manager group for each PWA instance

PWA or SharePoint Central Administration

TFS Readers group

TWA

Users assigned as project resources or have TFS work items assigned to them

Team Members for the PWA App group

PWA or SharePoint Central Administration

Team Members, Security Categories (Note 2)

PWA

Enterprise project pool and to the project resource pool for the project plan

PWA

TFS Contributors group

TWA

Notes:

Some deployments might have more than one service account for the Project Server Web Application Pool. Go here to determine the service accounts for these application pools.

The Security Categories assigned to Team Members by default are sufficient; however, if these categories have been customized, then some permissions might have been removed. The following categories are required: Create New Task or Assignment, Create Object Links, Open Project, View Project Site, and View Project Schedule in Project Web App (Project Server 2010), and Open Project, View Project Site, and View Project Schedule in Project Web App (Project Server 2013, Project permission mode).

Next, go to IIS manager, expand sites, and find the SharePoint websites that host the PWA. Open Advanced settings for the application Pool and you’ll find the identity for the AppPool.

For Project Server 2013: In IIS manager, expand sites, expand SharePoint web services, expand each GUID until you find the one that contains project PSI service. In Advanced settings, identify the Application Pool, which is a GUID pool name.

Under IIS, AppPools, find the account used to run this GUID application pool.